Tannenbaum Helpern Syracuse & Hirschtritt, LLP
About Us Careers Contact Us Search
Home Practice Areas Industries Case Results Attorneys Publications Events Press Room

Proposed NYS DFS Cybersecurity Regulations to Significantly Impact FS Companies

This September, the New York State Department of Financial Services (“DFS”) issued a proposed cybersecurity regulation, which is expected to become effective on January 1, 2017 and will require banks, insurance companies and other institutions regulated by the DFS (“Covered Entities”) to establish and maintain a rigorous cybersecurity program[1]. Unless the regulation is dramatically altered before it becomes final, it will be one of the broadest and most demanding cybersecurity regulations in the country. The existing cybersecurity programs of many affected companies will likely not comply with the new proposed regulation.

What Information Is the Proposed Regulation Designed to Protect?

The purpose of the DFS’s proposed regulation is to protect the security of Covered Entities’ “Information Systems” and both their and their clients’ “Nonpublic Information.” While other data privacy and cybersecurity regulations focus on protecting personally identifiable information, the DFS’s proposed regulation defines “Nonpublic Information” much more broadly. Under the proposed regulation, “Nonpublic Information” includes:

  1. any business-related information, the tampering with which would cause a “material adverse impact to the business, operations or security of the Covered Entity”;
  2. “any information” that a client or customer provides to a Covered Entity in connection with the seeking or obtaining of any financial product or service; and
  3. information that can be used to identify any individual, including an individual’s name, Social Security number, date and place of birth, mother’s maiden name and biometric records.

This information will not be deemed Nonpublic Information if it is “Publicly Available Information.” However, this exception is narrow, as it requires a Covered Entity to have a “reasonable basis to believe” that the information was “lawfully made available to the general public” via certain specified sources. Therefore, Covered Entities will need to perform some due diligence to “reasonably” satisfy themselves that the dissemination of publicly-available information was “lawful.”

Who Will Be Subject to the Regulation?

The proposed regulation applies to any “Covered Entity,” which includes an individual or organization that operates under a license, registration or other authorization under New York State’s banking, insurance or financial services laws. This includes banks and trust companies, insurance companies, licensed consumer lenders, check cashers, licensed mortgage lenders and brokers, and other institutions that are regulated by the DFS.

Moreover, organizations that are not regulated by the DFS will be impacted as Covered Entities will be required to identify and assess the cybersecurity risks of doing business with business partners that have access to Information Systems and Nonpublic Information. Business partners who do not maintain adequate cybersecurity practices ultimately may end up being unable to do business with Covered Entities.

What Does the Proposed Regulation Require?

Based on the proposed regulation, Covered Entities will need to abide by the following requirements, among others[2]:

  1. Cybersecurity Program. Covered Entities will be required to establish and maintain a cybersecurity program to perform core cybersecurity functions, such as (a) identifying internal and external cyber risks; (b) using defensive infrastructure and implementing policies and procedures to protect Information Systems and the Nonpublic Information stored on the Information Systems; and (c) detecting and responding to cybersecurity events.
  2. Written Cybersecurity Policy. Covered Entities will be required to implement and maintain a written cybersecurity policy to address the protection of their Information Systems and the Nonpublic Information that is stored on those systems. The written cybersecurity policy must be reviewed by the Board of Directors or equivalent governing body, and approved by a senior officer of the Covered Entity.
  3. Chief Information Security Officer. Each Covered Entity will need to designate a qualified individual to serve as its Chief Information Security Officer (known as a “CISO”), who would be responsible for overseeing and implementing the cybersecurity program and enforcing the cybersecurity policy. This requirement may be met by using third-party service providers, but each Covered Entity must have a senior member of the organization oversee the service provider and retain responsibility for compliance with the regulation. Each Covered Entity will also need to employ sufficiently trained and competent cybersecurity personnel to manage its cybersecurity risks and implement security measures.
  4. Encryption of Nonpublic Information. Each Covered Entity will be required to encrypt all Nonpublic Information held or transmitted by the Covered Entity. There are limited exemptions where encryption is infeasible for a Covered Entity and the risks can be mitigated.
  5. Incident Response Plan. Each Covered Entity would be required to establish a written incident response plan that is designed to promptly respond to, and recover from, a cybersecurity event. All breaches must be reported to the DFS within 72 hours of detection.

Some smaller Covered Entities will be exempt from some of the requirements of the proposed regulation, but they are still required to comply with most of the general requirements such as adopting a cybersecurity program and naming a CISO. To qualify for the exemption, Covered Entities must have fewer than 1,000 customers, less than $5 million in gross annual revenue and less than $10 million in assets.

When Will the Regulation Take Effect?

The proposed regulation is expected to become effective on January 1, 2017, and Covered Entities will have 180 days from the regulation’s effective date to comply with its requirements. Thus, Covered Entities should expect to be required to comply with the final regulation by the end of June 2017 and will be required to submit annual certifications of compliance to the DFS beginning on January 15, 2018.

What Should You Do Now?

With now less than a month before the final regulation comes into effect, all organizations covered by the proposed regulation will need to carefully review the regulation and design their cybersecurity programs and procedures to comply with the regulation once it becomes effective. This applies to organizations directly covered by the regulation and their partners, whose business relationships may be impacted if their cybersecurity practices are not adequate. The requirements of the regulation are complex and technical, and will require the involvement of management, specialized IT personnel and counsel to interpret and assist in complying with this regulation.

For more information on the topic discussed, contact Michael J. Riela at riela@thsh.com or David R. Lallouz at lallouz@thsh.com.

For more information on Tannenbaum Helpern’s Cybersecurity and Data Security practice, visit http://bit.ly/2gmly7N.

[1] The proposed regulation can be found at http://www.dfs.ny.gov/legal/regulations/proposed/rp500t.pdf

[2] This article summarizes the most significant requirements under the proposed regulation, but does not summarize all of the requirements.

About Tannenbaum Helpern Syracuse & Hirschtritt LLP

Since 1978, Tannenbaum Helpern Syracuse & Hirschtritt LLP has combined a powerful mix of insight, creativity, industry knowledge, senior talent and transaction expertise to successfully guide clients through periods of challenge and opportunity. Our mission is to deliver the highest quality legal services in a practical and efficient manner, bringing to bear the judgment, common sense and expertise of well trained, business minded lawyers. Through our commitment to service and successful results, Tannenbaum Helpern continues to earn the loyalty of our clients and a reputation for excellence. For more information, visit www.thsh.com. Follow us on LinkedIn and Twitter: @THSHLAW.

Business Litigation Bulletin
Employment Notes
Note from the Real Estate Group
THSH E-Alert
Other Publications
Inclement Weather Policy
Other Publications Archive
President Obama Seeks to Broaden Overtime Protections for Employees
Privacy regulation in the United States
The Broad Scope of Franchise Laws: Traps for the Distribution Contract Drafter
Managing Distribution: How to Develop a Corporate Legal Compliance Program
Internet Distribution, E-Commerce and Other Computer Related Issues
Distribution Contracts
What Impact Will FATCA Have on Offshore Hedge Funds and How Should Such Funds Prepare for FATCA Compliance?
The American Taxpayer Relief Act of 2012: What It Means to You
Privilege and the In-House Counsel: Protecting Your Communications Through Proper Registration and Careful Understanding
Are your digital communications protected by attorney-client privilege and what if privileged information is disclosed?
THSH Private Equity Roundtable Summary
Post Grant Review Under the America Invents Act
Bench-Bar Conversation with Justice Carolyn E. Demarest
Proposed Changes Set to Alter Estate and Gift Tax Structure in New York: Time to Make a Gift?
New York City Paid Sick Leave – What Staffing Firms Need to Know
New York State Estate and Gift Tax: The Hidden Costs of Tax Reform
Assessing Never-Examined SEC-Registered Investment Advisers: An SEC NEP Priority
Changes to NY Minimum Wage
NLRB Strikes Again
Bench-Bar Conversations with Justice Elizabeth Emerson
Attorney Professionalism Forum: What should an attorney do when the client wants to present false information and what happens
Reducing the risk of violating competition law
NY Rings in 2015 with a Minimum Wage Increase
Distribution & Agency 2015 - Q&A on the distribution of goods and services in 17 jurisdictions worldwide
Fair Chance Act
Sales Taxes on Construction Projects
Forget Big Brother, What Happens When it’s Opposing Counsel is Doing the Recording?
E-Discovery Identification & Preservation Guide For Lawyers (Version 2.0)
On the Horizon: What to do before selling your staffing business
Striking the Right Encryption Balance after FBI, Apple Fracas
Delaware Court Reiterates Need for Unambiguous Non-Reliance Provisions in M&A Agreements
Finalizing a Divorce? Wait, Just One More Thing …
IRS Proposed Changes to IRC 2704 Affect Business Succession and Estate Planning Valuation Discounts
Trump and the Estate Tax: What We Know
Actual-Intent Fraudulent Transfers and the Crime/Fraud Exception
Proposed NYS DFS Cybersecurity Regulations to Significantly Impact FS Companies
New Guidance for Human Resource Professionals to Avoid Antitrust Violations
Merger and Scènes à Faire: Two Defenses to Substantial Similarity in Copyright Litigation
What’s New in the Revised New York State Proposed Cybersecurity Regulation?
The Law of Insider Trading: A Primer For Investment Managers
Recent Cyber Attack On Law Firms Serves As A Wake-Up Call For Professional Services Firms
The Ambac Decision and the Future of the Common Interest Privilege Under the New York Law
Overview of Data Privacy and Cybersecurity Regulatory Landscape for Investment Advisers and Other Financial Services Companies
Global Ransomware Attack: Basic Security Measures Every Business Should Adopt
Distribution & Agency 2017- Q&A on the distribution of goods and services in 17 jurisdictions worldwide
New Copyright of Resource: Copyright Protection
Attorney Professionalism Forum: Using Per Diem Attorneys Plus An Addendum To The June Forum On Cybersecurity Ethics
Congressional Republicans Propose Sweeping Tax Reform
Attorney Professionalism Forum: Attorney-Client Confidentiality vs. the Customs Agent: Who Wins?
Attorney Professionalism Forum: Confidentiality Issues When Clients Don’t Tell The Truth
Rules for Equity Crowdfunding Effective May 16, 2016
Estate Planning Under Comprehensive Tax Reform
Attorney Professionalism Forum: Attorney Websites, Branding and Using Social Media
Attorney Professionalism Forum: Attorney Advertising And Self Promotion
NY Appellate Court Shifts Balance of Power in Commercial Real Estate Leases: Upholds Yellowstone Injunction Waiver
Recent Developments in Neighbor Litigation
Attorney Professionalism Forum: Communicating With Clients With Diminished Capacity
Attorney Professionalism Forum: Litigation Financing
Groundbreaking bipartisan Congressional Legislation could pave the way to fully legalized Marijuana
Conditions Precedents in Construction Contracts
Distribution & Agency 2018 - Q&A on the distribution of goods and services in 18 jurisdictions worldwide
Data Privacy Alert: California Consumer Privacy Act of 2018 Just Enacted
Attorney Professionalism Forum: Litigation Financing Confidentiality and Marijuana Ethics For Lawyers
U.S. Markets See First Cannabis IPO
NYS Department of Financial Services Issues Guidance to Banks on Servicing the Marijuana Industry
THSH Cyber Alert: GoDaddy the latest to leave S3 Bucket Unsecured
Legalized Adult-Use Marijuana Coming to New York?
NYS and NYC Sexual Harassment Prevention Laws
Are Your Website and Privacy Policy GDPR Compliant?
Attorney Professionalism Forum: Ethics and Best Practices For Law School Clinics
Beware of the AIA Form of Performance Bond
Attorney Professionalism Forum: Referral Fees and Using a Client as an Expert
Anecdotes from World’s Largest B2B Cannabis Conference
Attorney Professionalism Forum: Restrictive Covenants In Agreements Employing Lawyers
Turndown Service with that Hack: Marriott Hotels Announce Massive Data Breach
Attorney Professionalism Forum: Handling Confidential Client Information
Groundbreaking 2018 Farm Bill Portends Huge Changes to U.S. Cannabis and Hemp Industries
Attorney Professionalism Forum: The Challenges of Litigating Against Pro Se Parties
Articles By Topic
Cyber & Privacy Alert
New York Law Journal
Attorney Professionalism Forum
Join Our Mailing List
Like us on FaceBook Follow us on Twitter Get LinkedIn with us Pin It! Email Us Print this Page

Sitemap |Terms of Use | Privacy | Attorney Advertising

Tannenbaum Helpern Syracuse & Hirschtritt LLP provides legal advice only to individuals or entities with which it has established an attorney-client relationship and such advice is based on the particular facts and circumstances of each matter. Contacting us through this site, or otherwise, will not establish an attorney-client relationship with us. Any e-mail or other communication sent to THSH or its lawyers through this site will not be treated as subject to the attorney-client privilege or as otherwise confidential and you should not include any confidential information in any such communication.